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Amendments to the Claims 



Please amend claims 1, 12, 14, and 40 as follows: 



1 . (Currently Amended) 



A method for virtualizing super-user privileges in a 



computer operating system including multiple virtual processes, the method comprising: 

designating a plurality of virtual super-users, each virtual super-user being associated 

with a separate virtual process; 
intercepting a system call for which actual super-user privileges are required; and 
in response to the intercepted system call being made by a virtual super-user and 

pertaining to the virtual process of the virtual super-user: 

granting actual super-user privileges to the virtual super-user; and 

allowing execution of the system call. 

2. (Original) The method of claim 1, further comprising: 

withdrawing the actual super-user privileges from the virtual super-user after execution of 
the system call. 

3. (Original) The method of claim 1, wherein designating comprises: 
assigning a virtual super-user identifier to each virtual super-user. 

4. (Original) The method of claim 3, wherein each virtual super-user identifier 
comprises a super-user identifier and an indication of a virtual process. 



11 



2181 6/04953/DOCS/l 397026. 1 



5. (Original) The method of claim 1, wherein designating comprises: 
assigning a user identifier to a virtual super-user; and 

storing the user identifier and an indication of the virtual process of the virtual super-user 
in a virtual super-user list. 

6. (Original) The method of claim 1, wherein granting comprises: 
assigning a super-user identifier to the virtual super-user. 

7. (Original) The method of claim 1, wherein the intercepted system call comprises a 
system call for accessing a file. 

8. (Original) The method of claim 7, wherein the intercepted system call pertains to the 
virtual process of the virtual super-user when the file to be accessed is associated with the same 
virtual process. 

9. (Original) The method of claim 1, wherein the intercepted system call comprises a 
system call for terminating a process. 

10. (Original) The method of claim 9, wherein the intercepted system call pertains to the 
virtual process of the virtual super-user when the process to be terminated is associated with the 
same virtual process. 
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11. (Original) The method of claim 1, wherein the intercepted system call comprises a 
system call for terminating all processes associated with a virtual process, the method further 
comprising: 

identifying each process associated with the virtual process; and 
terminating each identified process. 

12. (Currently Amended) The method of claim 1 1 , wherein an association a data 
structure stores associations between processes and virtual processes, and wherein identifying 
comprises: 

identifying each process by its association with the virtual process in the association data 
b structure. 

13. (Original) The method of claim 1, wherein the system call is made by a virtual super- 
user when a user making the call has a virtual super-user identifier. 

14. (Currently Amended) The method of claim 1, wherein the system call is made by 
a virtual super-user when a user making the call has a user identifier in a virtual super-user list. 



15. (Original) The method of claim 1, further comprising: 



responsive to the intercepted system call not being made by a virtual super-user, 



disallowing execution of the system call. 



16. (Original) The method of claim 1, further comprising: 
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responsive to the intercepted system call being made by a virtual super-user and not 

pertaining to the virtual process of the virtual super-user, disallowing execution of 
the system call. 

17. (Original) The method of claim 1, further comprising: 

responsive to the intercepted system call comprising a system call for inserting a module 
into an operating system kernel, disallowing execution of the system call. 

18. (Original) The method of claim 1, wherein allowing comprises: 
executing the system call. 

* 4 

19. (Original) The method of claim 1, wherein intercepting a system call comprises: 
loading a system call wrapper; 
saving a pointer to the system call; and 

replacing the pointer to the system call with a pointer to the system call wrapper, such 
that the system call wrapper is executed when the system call is invoked. 

20. (Original) The method of claim 19, wherein the pointer to the first system call 
comprises a system call vector. 

21. (Original) A computer program product for virtualizing super-user privileges in a 
computer operating system including multiple virtual processes, the computer program product 
comprising: 
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program code for designating a plurality of virtual super-users, each virtual super-user 

being associated with a separate virtual process; 
program code for intercepting a system call for which actual super-user privileges are 

required; 

program code for determining that the intercepted system call was made by a virtual 

super-user and pertains to the virtual process of the virtual super-user; granting 
actual super-user privileges to the virtual super-user; and 
allowing execution of the system call. 

22. (Original) The computer program product of claim 21, further comprising: 



23. (Original) The computer program product of claim 21, wherein program code for 
designating comprises: 

program code for assigning a virtual super-user identifier to each virtual super-user. 

24. (Original) The computer program product of claim 23, wherein each virtual super- 
user identifier comprises a super-user identifier and an indication of a virtual process. 

25. (Original) The computer program product of claim 21, wherein program code for 
designating comprises: 

program code for assigning a user identifier to a virtual super-user; and 




program code for withdrawing the actual super-user privileges from the virtual super-user 



after execution of the system call. 
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program code for storing the user identifier and an indication of the virtual process of the 
virtual super-user in a virtual super-user list. 

26. (Original) The computer program product of claim 21, wherein program code for 
granting comprises: 

program code for assigning a super-user identifier to the virtual super-user. 

27. (Original) The computer program product of claim 21, wherein the intercepted 
system call comprises a system call for accessing a file. 

28. (Original) The computer program product of claim 27, wherein the intercepted 
system call pertains to the virtual process of the virtual super-user when the file to be accessed is 
associated with the same virtual process. 

29. (Original) The computer program product of claim 21, wherein the intercepted 
system call comprises a system call for terminating a process. 

30. (Original) The computer program product of claim 29, wherein the intercepted 
system call pertains to the virtual process of the virtual super-user when the process to be 
terminated is associated with the same virtual process. 
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3 1 . (Original) The computer program product of claim 21, wherein the intercepted 
system call comprises a system call for terminating all processes associated with a virtual 
process, the computer program product further comprising: 

program code for identifying each process associated with the virtual process; and 
program code for terminating each identified process. 

32. (Original) The computer program product of claim 31, wherein an association data 
structure stores associations between processes and virtual processes, and wherein program code 
for identifying comprises: 

program code for identifying each process by its association with the virtual process in 
the association data structure. 

33. (Original) The computer program product of claim 21, wherein the system call is 
made by a virtual super-user when a user making the call has a virtual super-user identifier. 

34. (Original) The computer program product of claim 21, wherein the system call is 
made by a virtual super-user when a user making the call has a user identifier in a virtual super- 
user list. 

35. (Original) The computer program product of claim 21, further comprising: 
program code for disallowing execution of the system call in response to the intercepted 

system call not being made by a virtual super-user. 
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36. (Original) The computer program product of claim 21, further comprising: 
program code for disallowing execution of the system call in response to the intercepted 

system call being made by a virtual super-user and not pertaining to the virtual 
process of the virtual super-user. 

37. (Original) The computer program product of claim 2 1 , further comprising: . 
program code for disallowing execution of the system call in response to the intercepted 

system call comprising a system call for inserting a module into an operating 
system kernel. 

38. (Original) The computer program product of claim 21, wherein program code for 
allowing comprises: 

program code for executing the system call. 

39. (Original) The computer program product of claim 21, wherein program code 
intercepting a system call comprises: 

program code for loading a system call wrapper; 
program code for saving a pointer to the system call; and 

program code for replacing the pointer to the system call with a pointer to the system call 
wrapper, such that the system call wrapper is executed when the system call is 
invoked. 
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40. (Currently Amended) The computer program product of claim 49 39, wherein the 
pointer to the first system call comprises a system call vector. 

41. (Original) A system for virtualizing super-user privileges in a computer operating 
system including multiple virtual processes, the system comprising: 

a virtual super-user designation module for designating a plurality of virtual super-users, 

each virtual super-user being associated with a separate virtual process; and 
a system call wrapper for intercepting a system call for which actual super-user privileges 

are required and, in response to the intercepted system call being made by a virtual 
i/ b super-user and pertaining to the virtual process of the virtual super-user, granting 

actual super-user privileges to the virtual super-user and allowing execution of the 

system call. 

42. (Original) The system of claim 41, wherein the system call wrapper is further 
configured to withdraw the actual super-user privileges from the virtual super-user after 
execution of the system call. 

43 . (Original) The system of claim 41, wherein the virtual super-user designation module 
is further configured to assign a virtual super-user identifier to each virtual super-user. 

44. (Original) The system of claim 43, wherein each virtual super-user identifier 
comprises a super-user identifier and an indication of a virtual process. 
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45. (Original) The system of claim 41, wherein the virtual super-user designation module 
is further configured to assign a user identifier to a virtual super-user and store the user identifier 
and an indication of the virtual process of the virtual super-user in a virtual super-user list. 

46. (Original) The system of claim 41, wherein the system call wrapper is further 
configured to assign a super-user identifier to the virtual super-user. 

47. (Original) The system of claim 41, wherein the intercepted system call comprises a 
system call for accessing a file. 

48. (Original) The system of claim 47, wherein the intercepted system call pertains to the 
virtual process of the virtual super-user when the file to be accessed is associated with the same 
virtual process. 

49. (Original) The system of claim 41, wherein the intercepted system call comprises a 
system call for terminating a process. 

50. (Original) The system of claim 49, wherein the intercepted system call pertains to the 
virtual process of the virtual super-user when the process to be terminated is associated with the 
same virtual process. 

51. (Original) The system of claim 41, wherein the intercepted system call comprises a 
system call for terminating all processes associated with a virtual process, and wherein the 
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system call wrapper is further configured to identify each process associated with the virtual 
process and terminate each identified process. 

52. (Original) The system of claim 51, further comprising: 

an association data structure for storing associations between processes and virtual 

processes, wherein the system call wrapper is further configured to identify each 
process by its association with the virtual process in the association data structure. 

53. (Original) The system of claim 41, wherein the system call is made by a virtual 
super-user when a user making the call has a virtual super-user identifier. 

54. (Original) The system of claim 41, wherein the system call is made by a virtual 
super-user when a user making the call has user identifier in a virtual super-user list. 

55. (Original) The system of claim 41, wherein the system call wrapper is further 
configured to disallow execution of the intercepted system call in response to the intercepted 
system call not being made by a virtual super-user. 

56. (Original) The system of claim 41, wherein the system call wrapper is further 
configured to disallow execution of the intercepted system call in response to the intercepted 
system call being made by a virtual super-user and not pertaining to the virtual process of the 
virtual super-user. 
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57. (Original) The system of claim 41, wherein the system call wrapper is further 
configured to disallow execution of the intercepted system call in response to the intercepted 
system call comprising a system call for inserting a module into an operating system kernel. 

58. (Original) The system of claim 41, wherein the system call wrapper is further 
configured to execute the system call. 
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